You can replace the default certificate that comes with a Virtual Trusted Platform Module (vTPM) device.


You must have a vTPM-enabled virtual machine in your environment.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Select the vTPM-enabled virtual machine in the inventory whose certificate information you want to replace.
  4. Click the Configure tab.
  5. Under TPM select Signing Requests.
  6. Select a certificate.
  7. To export the certificate information, click Export.
    The certificate is saved to disk.
  8. Get a certificate issued by a third-party certificate authority (CA) against the certificate signing request (CSR) you exported.
    You can use any CA that you might have in your IT environment.
  9. When you have the new certificate, replace the existing certificate.
    1. Right-click the virtual machine in the inventory whose certificate you want to replace and select Edit Settings.
    2. In the Edit Settings dialog box, expand Security Devices, then expand Trusted Platform Module.
      The certificates appear.
    3. Click Replace for the certificate you want to replace.
      The File Upload dialog box appears.
    4. On your local machine, locate the new certificate and upload it.
      The new certificate replaces the default certificate that came with your vTPM device.
    5. The certificate name is updated in the virtual machine Summary tab under the Virtual Trusted Platform Module list.